A Cost-Sensitive Model for Preemptive Intrusion Response Systems

The proliferation of complex and fast-spreading intrusions not only requires advances in intrusion detection mechanisms but also demands development of sophisticated and automated intrusion response systems. In this paper we present a novel cost-sensitive model for intrusion response that incorporates preemptive deployment of the response actions. Specifically, our technique relies on comparing the cost of deploying a response against the cost of damage caused by an "'un-attended" intrusion and decides to preemptively deploy a response with maximum benefit. Our technique further allows adaptation of responses to the changing environment through evaluation of success and failure of previously triggered responses. We demonstrate the advantages of the approach and evaluate it using a damage reduction metric.

[1]  Stephanie Forrest,et al.  Automated Response Using System-Call Delay , 2000, USENIX Security Symposium.

[2]  Johnny S. Wong,et al.  A taxonomy of intrusion response systems , 2007, Int. J. Inf. Comput. Secur..

[3]  Eugene H. Spafford,et al.  A PATTERN MATCHING MODEL FOR MISUSE INTRUSION DETECTION , 1994 .

[4]  Eugene H. Spafford,et al.  ADEPTS: adaptive intrusion response using attack graphs in an e-commerce environment , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[5]  Christopher Krügel,et al.  Evaluating the impact of automated intrusion response mechanisms , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[6]  R. Sekar,et al.  Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications , 1999, USENIX Security Symposium.

[7]  Salvatore J. Stolfo,et al.  Toward Cost-Sensitive Modeling for Intrusion Detection and Response , 2002, J. Comput. Secur..

[8]  Udo W. Pooch,et al.  A Methodology for Using Intelligent Agents to provide Automated Intrusion Response , 2000 .

[9]  Prem Uppuluri,et al.  Building survivable systems: an integrated approach based on intrusion detection and damage containment , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[10]  Gregory J. Conti,et al.  Towards an approach for automatically repairing compromised network systems , 2004, Third IEEE International Symposium on Network Computing and Applications, 2004. (NCA 2004). Proceedings..

[11]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[12]  Karl N. Levitt,et al.  Using Specification-Based Intrusion Detection for Automated Response , 2003, RAID.

[13]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[14]  Johnny S. Wong,et al.  Automated Caching of Behavioral Patterns for Efficient Run-Time Monitoring , 2006, 2006 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing.

[15]  Stephanie Forrest,et al.  Automated response using system-call delays , 2000 .

[16]  H. Brachinger,et al.  Decision analysis , 1997 .

[17]  Dan Schnackenberg,et al.  Infrastructure for intrusion detection and response , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[18]  Yuanyuan Zhou,et al.  Rx: treating bugs as allergies---a safe method to survive software failures , 2005, SOSP '05.

[19]  Angelos D. Keromytis,et al.  Building a Reactive Immune System for Software Services , 2005, USENIX Annual Technical Conference, General Track.

[20]  Udo W. Pooch,et al.  Cooperating security managers: a peer-based intrusion detection system , 1996, IEEE Netw..

[21]  Salvatore J. Stolfo,et al.  FLIPS: Hybrid Adaptive Intrusion Prevention , 2005, RAID.